After what feels like years of build up, GDPR D-day has come and gone.
In preparation, you probably identified every piece of sensitive data on your network. You’ve carefully issued swipe cards and assessed authorised privileges, instituting a GDPR-compliant process for every possible eventuality. You’ve even brought in the GDPR legal eagles who’ve given you a clean bill of health.
You’re in the clear. Or so you think…
As with any regulation, there are always blind spots and grey areas. While you’ve most likely given more than enough airtime to ensuring your digital data is fully compliant, you definitely wouldn’t be the only company to have failed to give as much attention to its physical counterpart.
Picture this scenario: despite your organisation spending a significant chunk of your budget on becoming GDPR compliant, a member of your team leaves a print-out of an entire customer database hanging out of the office recycling bin. While it may just look like a bit of a mess, this could actually constitute a breach of compliance with the ability to inflict financial or legal punishment.
GDPR is more than just technology
Paper documents have become the glaring blindspot in every GDPR plan. Any organisation’s compliance strategy is torn to shreds once users disengage with the whole purpose behind data privacy and treat prints and scans without the sensitivity they demand.
After all, physical data has the ability to spread its way across the office as fast as an internal email. Here are four very possible scenarios that could leave you open to a breach:
At the end of a meeting in a shared conference room, attendees leave with their used mugs and print-outs left on the table, leaving confidential and personal data open to a breach.
A few employees are behind on their office chores resulting in an overflow of paper from the recycling bins. Due to ineffective recycling, a GDPR breach has occurred.
Someone in the finance department has printed a list of debtors, but got distracted by a phone call before they had chance to pick it up from the device. This is bad practice, before you bring GDPR into the mix.
Back to basics
According to the vagaries of GDPR, each of these scenarios change the status of a document from being securely held under a compliant process to being a ‘public document’. And that, in turn, drastically alters the compliance status of the organisation responsible.
Okay, the examples above may involve simple human error. However, although these errors are minor, they can result in major penalties, including the much touted fine up to 4% of your annual turnover.
It’s worth putting GDPR to one side for a moment and considering that breaches like this should not happen regardless of compliance requirements. Individuals are entitled to have their personal data treated sensitively and confidentially, and leaving pieces of paper lying around very obviously flies in the face of that.
So what can you do?
The mitigation is more than just staff awareness or even training. Awareness allows an easy ‘get-out’ from people’s innate sense of responsibility. The key is to foster sensitivity to the issue and define processes that all individuals consciously engage with. These processes, when documented, support the achievement of GDPR compliance, and demonstrate a commitment to best practice even if something does go wrong in the future.
We’d also advise you to add to these processes with greater control over what comes out of devices. When configured correctly, print management solutions such as KYOCERA Net Manager and MyQ can provide a ‘state of the art’ technology to ensure documents are secure and not left at a device unattended. As well as user access, such solutions can also automate document storage and deletion and provide full audit trails of what the device has been used for.
As a technology provider, even we recognise that technology only gets you so far. Your people and culture are your ultimate defence against any threat to data protection or privacy, and fully addressing this need could be your best GDPR investment.
Don’t just take our word for it though, especially as this article doesn’t constitute legal advice. That can be found with GDPR law subject experts, and for further information you should refer to the Information Commissioner’s Office.
About the author
Joe Doyle joined the KYOCERA group in July 2018 as Group Marketing Director and has over 20 years of business-to-business marketing experience across telecoms, technology and business process outsourcing.
Joe was previously Marketing Director at Annodata, and prior to that held the role of Vice President of Global Marketing at Sitel, one of the world’s largest BPOs. Joe has also held senior roles in companies including Azzurri Communications, Npower, Kingston Communications and Cable & Wireless.
Joe has provided thought leadership and best-practice advice via countless magazine and online publications as well as speaking at numerous events in both Europe and the US.